"Secure by default" means network-safe authentication and encryption. This page describes areas in which secure-by-default
capabilities are not yet implemented for the MapR platform or ecosystem components. Included where applicable are links
to more information to help you work around those issues.

Encryption in MapR

MapR supports encryption of data on wire and data at rest for preventing
unauthorized access to sensitive data. These encryption methods are in addition to
authentication and authorization protections. Encryption can be used to avoid exposure to
breaches such as packet sniffing and theft of storage devices.

Data transmission between nodes in a secure MapR cluster is encrypted,
preventing an attacker with access to that communication from gaining information about the
contents of the transmission. Encryption of data-at-rest prevents unauthorized users from
accessing sensitive data and protects against data theft through sector-level disk access.

On-Wire Encryption

Data transmission between nodes in a secure MapR cluster over any network connection
supported by MapR is encrypted. When you run the configure.sh utility with the
-secure option, you are enabling the cluster for security,
authentication, and wire-level encryption for the platform and all ecosystem components. In
secure mode, MapR automatically encrypts all data traffic. Enabling encryption ensures that data to and from the
locations you specify is encrypted as it travels over the network.

Nodes with CPUs that support AES encryption at the hardware level provide superior
performance on encryption tasks. You can determine if the CPU of a node supports the AES
instruction set by running the following command:

$ cat /proc/cpuinfo | grep flags | grep aes

Data-at-Rest Encryption

Data on disk (or data-at-rest) in a secure MapR cluster can be encrypted, enabling you to
protect the data if a disk is compromised. Encryption of data-at-rest not only prevents
unauthorized users from accessing sensitive data, but it also protects against data theft
via sector-level disk access. When you run the configure.sh utility with the
-dare option, you are enabling data at rest encryption feature at the
cluster level. If encryption of data at rest is enabled, new volumes are encrypted by
default with the option to create a volume without encryption. For example, if you have a
volume that contains data that is not at all sensitive, you might not want to encrypt it.
For encrypted volumes, MapR automatically encrypts data at rest and manages the keys used to
encrypt data seamlessly; you do not need special utilities to encrypt or decrypt the data.
MapR uses AES256/XTS to protect data on the disk.

SSL Certificates
Describes how certificates are used to perform authentication and encryption for websites that use the HTTPS protocol.